Cross-Organization Campaign Intelligence
What it is
Phishing and adversary-in-the-middle (AITM) campaigns rarely target a single organization. The same kit is reused against many companies, rotating through fresh domains every few hours to stay ahead of static blocklists.
Campaign Intelligence lets Surface Security recognize, in near real time, when a threat your users encounter is part of a broader campaign already seen at other organizations — so a brand-new lookalike domain you have never encountered can be flagged with high confidence the first time one of your users lands on it.
This is opt-in. It is controlled by the existing Threat Intelligence Sharing setting. If that setting is off, none of the behavior described here is active.
What leaves your endpoints
Nothing sensitive. When Threat Intelligence Sharing is enabled, Surface Security shares fingerprints, not content:
- Fuzzy structural and visual hashes of suspicious pages (one-way hashes — the original page cannot be reconstructed from them).
- Numeric and categorical features of a suspicious domain: how close it is to a known brand name, how deep its subdomains go, and a general class of top-level domain. The raw domain name itself is not shared.
- One-way hashes of any credential-exfiltration destinations detected in an AITM attack.
- The brand a page appears to be impersonating (e.g. "microsoft").
Never shared: the URLs your users visit, the page contents, form data, credentials, your users' identities, or your organization's identity.
What you get back
When a fingerprint matches a known campaign, the related alert is enriched with:
- A campaign identifier, so repeated hits and related alerts can be grouped.
- "First seen elsewhere" — a relative time (for example, "first observed about 3 hours ago at other organizations"). No other organization is named.
- The number of distinct organizations that have encountered the campaign — a count only, never identities.
- The expected indicators for the campaign and a calibrated confidence score that accounts for how widespread and how recent the campaign is.
This context also flows into the AI analysis attached to the alert, so the written summary can explain that the threat is part of a tracked campaign.
The Campaigns page in the dashboard rolls this up in two sections. Targeting your tenant lists every campaign your own alerts belong to — how many alerts, how many other organizations have seen it, and when it was first observed elsewhere (empty until you enable threat-intel sharing). Circulating across the shared pool is an advisory view of campaigns active across participating organizations — including ones you have not been hit by — so your team has early awareness. This view is purely informational: shared visual fingerprints shown there are never used to block a site.
Anonymity guarantees
- Your deployment participates under an anonymous token. Other organizations never see which fingerprints came from you.
- The feedback you receive about a campaign contains only aggregate counts and relative times — never the name or identity of any other organization.
- Sharing is symmetric and reciprocal: you contribute anonymized fingerprints and you benefit from everyone else's. The more organizations participate, the faster and more confidently new campaigns are caught.
Enabling or disabling it
Campaign Intelligence is governed entirely by the Threat Intelligence Sharing setting for your tenant:
- Enabled — your deployment contributes anonymized fingerprints and receives campaign enrichment on alerts.
- Disabled (default) — no fingerprints are shared and no campaign enrichment is received. Your per-organization detection continues to work exactly as before; only the cross-organization correlation is turned off.
You can change this setting at any time. Turning it off stops new fingerprints from being shared promptly.
Effect on detection
Campaign Intelligence only adds confidence and context; it never weakens your existing protection. Your local phishing, AITM, and clipboard detectors keep running unchanged. If the central service is slow or unavailable, your alerts are produced exactly as they would be without the feature — there is no dependency on the shared service for your own protection to work.
It also will not block legitimate sites. Because a convincing phishing page looks identical to the real login it imitates, a shared visual fingerprint is never used on its own to block a page — it only adds context to alerts your own detectors already raised, and cross-tenant matching combines it with domain and infrastructure signals that legitimate sites don't share. Visiting the genuine login page never produces an alert, so it is never affected.